Free AI Act check

Does the EU AI Act reach your AI?

You already run a DORA programme. The AI Act lands on top of it — but only on some systems, and it decides by what the AI does, not by who you are. Six questions to find out where you stand.

~2 minutes No signup Instant result

Question 1 of 6

What is your organisation?

The AI Act binds providers and deployers of AI systems. Being a DORA entity does not by itself put you in scope — and not being one does not keep you out.

Question 2 of 6

Where does the AI system come from?

This is the question that decides how heavy your obligations are. Buying is far lighter than building — but there is a trapdoor between the two.

Question 3 of 6

What does the system actually decide or do?

Annex III lists the high-risk use cases by name. Only two of them are specific to finance.

Question 4 of 6

Do you touch a general-purpose AI model?

GPAI duties attach to whoever puts a general-purpose model on the market. Calling someone else's API does not make you a GPAI provider.

Question 5 of 6

Does the system do any of these?

These practices are banned outright — already, since February 2025. No risk assessment makes them lawful.

Question 6 of 6

Does it interact with people or generate content?

Transparency duties (Art. 50) apply on top of any risk tier — and they bite on 2 August 2026, sooner than the high-risk rules.

Please answer every question for an accurate read.

What applies to you

Prohibited
High-risk
GPAI
Transparency
DORA overlap

Indicative only. This is an educational aid, not legal advice or a conformity assessment. Classification under the EU AI Act turns on the intended purpose of the specific system, and one organisation can hold several roles at once across different systems. Deadlines reflect the Digital Omnibus on AI (Council green light, 29 June 2026). For a binding view, consult a legal partner.

How your AI Act exposure is classified

The tool applies the tiers of the EU AI Act (Regulation (EU) 2024/1689) in the order the Act itself imposes them. The first tier that matches decides the verdict — a prohibited practice is not "also" high-risk, it is banned.

Order of classification

  1. Prohibited practice (Art. 5) — social scoring, emotion inference in the workplace, untargeted scraping of facial images. Banned outright since 2 February 2025, whatever else is true.
  2. High-risk, Annex III (Art. 6(2)) — for finance, the named use cases are creditworthiness evaluation and credit scoring of natural persons (point 5(b)) and risk assessment and pricing in life and health insurance (point 5(c)). Employment screening (point 4) and biometric identification (point 1) apply to any employer.
  3. GPAI (Art. 51-55) — obligations attach to whoever places a general-purpose model on the market. Consuming a third-party API does not. Fine-tuning one only makes you the provider of the modified model if the modification's training compute exceeds roughly a third of the original's (indicative criterion, Commission GPAI guidelines of 18 July 2025) — a line adapter-tuning does not come close to. The systemic-risk presumption sits at 1025 FLOPs.
  4. Transparency (Art. 50) — disclose that a user is talking to an AI, and mark synthetic content. Applies regardless of risk tier.
  5. Minimal risk — no substantive AI Act obligation. Article 4 still asks providers and deployers to take measures supporting the AI literacy of their staff; the Digital Omnibus softened this from "ensure a sufficient level", and it does not require guaranteeing any particular level for any individual.

The two traps this tool is built around

Dates used

Penalties (Art. 99)

Basis: Regulation (EU) 2024/1689, Art. 4, 5, 6, 16, 25, 26, 50, 51-55, 99, 113 and Annex III. Deadlines and Art. 4 wording as amended by the Digital Omnibus on AI (Council green light, 29 June 2026).

Your next step
DORA sideConfirm your DORA scopeAI systems sit inside your ICT estate — check the entity classification first.Pillar 4Score the AI vendorIf you bought the model, it is a third party: DORA Art. 28-30 plus AI Act conformity.LearnDORA AI-Resilience SpecialistThe certification for running AI inside a DORA-regulated estate.
Keep your results

Email me my results + the DORA action checklist

We will send your results and the 127-point DORA compliance checklist to your work inbox. Unsubscribe anytime.

How Compliant Is Your Institution?

Take our free 5-minute assessment and get an instant DORA compliance score with personalised recommendations.

Get Your Free DORA Score Join Free Monthly Webinar